Bounty bonanza balloons and beguiles

Social code storage biz GitHub, now a ward of Microsoft, on Tuesday divulged plans to make itself more attractive to hackers by flashing larger sums of cash and offering better indemnity.

The company's five-year-old Security Bug Bounty program is being refurbished with ampler awards and broader terms of engagement. Part of the rationale for renovation involves keeping up with the rates offered by like-minded firms and part of it comes in response to ongoing security improvements that have left fewer easy bugs to find. Where greater effort is required, greater reward must follow, or hackers will look elsewhere for lower hanging fruit.

"We regularly assess our reward amounts against our industry peers," said GitHub's Philip Turnbull in a blog post provided in advance to The Register. "We also recognize that finding higher-severity vulnerabilities in GitHub's products is becoming increasingly difficult for researchers and they should be rewarded for their efforts."

To that end, GitHub has raised its bounty range for critical bugs from $10,000-$20,000 to $20,000-$30,000+, an open-ended award that allows the code biz to shower bug hunters with cash at their discretion.

The full award table reads:

Critical: $20,000-$30,000+

High: $10,000-$20,000

Medium: $4,000-$10,000

Low: $617-$2,000

GitHub said it awarded $165,000 in bug bounties last year.

The scope of GitHub's program is increasing too. It now covers all first-party services hosted under the github.com domain. It includes externally facing services like GitHub Education, GitHub Learning Lab, GitHub Jobs, GitHub Desktop, and Enterprise Cloud, as well as internally facing employee services like githubapp.com and github.net.

The hub of git is also offering better legal protection in the form of Safe Harbor terms. Turnbull said the new policies are based on CC0-licensed templates by GitHub's associate corporate counsel Fred Jennings, which were forked from EdOverflow's Legal Bug Bounty repo and modded to reflect the concerns of security researchers and the work of Amit Elazari, a lecturer at Berkeley Law and a research fellow at CTSP, Berkeley School of Information.

GitHub's Safe Harbor addresses three potential sources of risk for security researchers. It extends legal protection and authorization to hackers even if they inadvertently stray beyond the scope of the bug bounty program.

It also includes a commitment to protect hackers from legal threats by third parties who may have different ideas about the rules of engagement from GitHub. The company doesn't guarantee legal fees but it does promise privacy protection.

"We won't share your identifying information with a third party without your written permission," Turnbull explained. "We also won't share non-identifying information without notifying you first and getting the third party's written commitment not to pursue legal action against you."

Finally, the Safe Harbor brings a limited waiver for terms service violations perpetrated in the good faith pursuit of bounty research. So bounty hunters, for example, can reverse engineer GitHub Enterprise code, even though that's forbidden under the GitHub Enterprise Agreement. ®